Prevent local file inclusion/traversal/manipulation #13177

Merged
merged 1 commit into from Nov 14, 2016

Projects

None yet

2 participants

@Mark-H
Collaborator
Mark-H commented Nov 14, 2016

Based on a report received September 8th from Chen Ruiqi there were several local file inclusion or manipulation vulnerabilities. This requires a valid manager session and access to a media source to exploit; so this was not possible with #13175.

In this pull request the found vulnerabilities are fixed, and the other relevant processors have also been updated to be extra careful about specially crafted requests attempting to break out of the media source paths.

The reported vulnerabilities were in (1) browser/directory/getlist which allowed moving out of the media source base with ../, and a similar issue (2) in browser/directory/remove. On further investigation this was also found in browser/directory/getfiles.

The other files updated in this pull request were not found to be vulnerable, as the calls to the (file) media source would sanitise the provided path/file names sufficiently. However, as there are different media sources available both core and third party, I've also updated other calls to the media source APIs to provide sanitised paths and file names.

@Mark-H Mark-H Prevent local file inclusion/traversal/manipulation
Based on a report received September 8th from Chen Ruiqi there were several local file inclusion or manipulation vulnerabilities.

In this pull request those are fixed, and the other relevant processors have also been updated to be extra careful about specially crafted requests attempting to break out of the media source paths.

The reported vulnerabilities were in (1) browser/directory/getlist which allowed moving out of the media source base with `../`, and a similar issue (2) in browser/directory/remove. On further investigation this was also found in browser/directory/getfiles.

The other files updated in this pull request were not found to be vulnerable, as the calls to the (file) media source would sanitise the provided path/file names sufficiently. However, as there are different media sources available both core and third party, I've also updated other calls to the media source APIs to provide sanitised paths and file names.
d3df889
@Mark-H Mark-H added this to the v2.5.2 milestone Nov 14, 2016
@opengeek opengeek merged commit d3df889 into modxcms:2.5.x Nov 14, 2016

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@opengeek opengeek added a commit that referenced this pull request Nov 14, 2016
@opengeek opengeek [SECURITY] Prevent local file inclusion/traversal/manipulation [#13177]
Merge remote-tracking branch 'origin/pr/13177' into 2.5.x

* origin/pr/13177:
  Prevent local file inclusion/traversal/manipulation
1cef48a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment